Before the age of social media, messaging specific applications, and even SMS text on your mobile phone, computer and networking enthusiasts communicated via an open internet protocol known as IRC, or internet relay chat. This text-based “instant messaging” application first surfaced in 1988, by a Finnish software developer using the alias of “WiZ” who in real life is Jarkko Oikarinen. IRC was codified in 1993 as RFC 1459 as an open source networking protocol, and does not belong to any specific person or group. This means that IRC is not going away anytime soon and will continue to outlive social media instant messaging chat applications.

If it is not logic, it’s magic.If it is not magic, it is female logic.”

— Jarkko Oikarinen

Everything you need to know about IRC

IRC follows a standard server/client networking model consisting of a collection of servers hosting multiple channels where multiple users can connect via a standalone chat application or web interface client. There are a number of Windows, Mac, and Linux based IRC clients available to dive into the hidden social network of IRC; however, because most clients are supported by academic or recreational open source software developers, continued support and up to date IRC client applications can be challenging if not impossible to find. Another downside to IRC is that all IRC servers send and receive messages via plaintext making IRC one of the most insecure protocols used in the internet. For this reason, many IRC servers recommend users use a Virtual Private Network (VPN) in addition to a Tor proxy to guarantee anonymity prior to connecting to certain channels or discussing sensitive subjects. Some servers also provide additional support with IP/host cloaking to protect users’ IP addresses from disclosure to the rest of the users connected.

The people behind an IRC server are as diverse as the topics available for discussion. Individuals and groups of individuals across the world host IRC servers creating a decentralized network of endless chat possibilities. The “channels” available to connect to on an IRC server are akin to “rooms” within a building where people gather to discuss the channel’s subject of interest or topic. Some IRC servers will have hundreds of channels to choose from, such as Freenode, which publically lists over 52,000 unique channels across their servers. The exact number of live IRC servers is unknown. Even so, irc.netsplit.de lists over 500 publically advertised IRC servers, but there are many Tor-based IRC servers not advertised.

Specific channels on an IRC server are preceded by a hastag “#” and vary across a broad set of discussion topics. As one would expect, many of the topics are specific to computing such as #linux, #python, or #networking, but others range from sports to special interests or even religious beliefs. IRC can be an excellent resource for troubleshooting software or asking technical questions, as many program developers, like those contributing to Linux distributions or mobile applications, (e.g. #iPhonedev), are active on IRC and eager to answer questions and help beginners. On the other hand, some IRC conversations are extremely general and an overly complicated form of social interaction for those who choose to connect virtually with others instead of in person.

Once a user successfully connects to a given IRC server, the command /join #<channel name> allows the user to enter the room of their choice, unless the room is set to private requiring an invitation and a password or the room has been locked by a moderator who wants to ban abusive users from entering the channel. In some special instances, the user might strongly believe they deserve access to a locked or private channel and have been unfairly denied access. If that is the case, the user can type /knock <message>, where message is the user’s custom message sent only to the channel admins. Similar to real life, if one knocks insistently on the door, it might not get one access but instead annoy the admins and get the user banned from the server entirely.

Most IRC users avoid using their real names on the servers and instead connect using a “nickname” or alias for the chat. Frequent visitors to IRC channels register their “nick” with nickserv to prevent other users from using their name. Using the command /nickserv register password e-mail in the main server window (not the unique channel) associates the email to the user and prevents the user’s nickname from being used by any other guests on the server. Users concerned with anonymity or connecting from the darknet would register a nick with an anonymous email address such as secMail or TorBox and not a Clearnet (e.g. gMail or Yahoo) address that is associated with their personal identity or could be used in any way to identify them.

Popular uses of IRC Channels

Over recent years of darknet intelligence collection and interacting in the grey world of computer security, our analysts have found wide-spread use of IRC-based coordination, collaboration and communication across darknet and deepweb regulars on everything from hacking to carding. Anonops and other cyber offensive collectives, offer Tor-hosted IRC servers and channels covering topics such as #hackers, #hardchats, #tor, #ddos, and numerous “#op”-prefixed chaannels for specific operations targeting everything from the NSA to Russia.

Figure 1 Discussion on Finding "Cashiers" on IRC on a Popular Carding Forum

For this reason, Darkowl has active autonomous data collection across hundreds of IRC servers/channels and queries filtered to IRC captured conversation are available using the search pod “Protocol->IRC.” DarkOwl Vision has successfully collected numerous conversations where stolen credit card information is offered for sale or for verification.

Once connected to an IRC server, conversations in the channels are known for their brightly colored text; however, the text color can also be sometimes altered in the chat client user preferences, depending on the chat client application of choice. A few sample screenshots from various chat clients are listed below.

Figure 3 Quassel Application Sample IRC

Figure 4 HexChat Sample Chat

Figure 5 Weechat Sample Chat

But, many IRC servers offer web-based chat clients, which is useful for users having the desire and the bandwidth to run IRC within Tor Browser. In order to run web-based IRC over Tor, Javascript must be enabled.

Figure 6 AnonOps WebChat Login

Figure 7 AnonOps Web Interface Sample Collection

When viewing IRC conversations in DarkOwl Vision, the exact text is extracted without the color or emphasized font faces. In the result from a recent IRC protocol search in DarkOwl Vision, the date and time stamp of each message is displayed along with the nickname of the user in capital letters preceded and proceeded by “--“ and the message of the user submitted to the channel that was collected. If the conversation included any hyperlinks (Clearnet or Darknet), the engine captures this information as well.

As with any result in DarkOwl Vision, the Metadata Details are included and any data containing personally identifiable information such as email addresses, social security numbers or credit cards is tagged appropriately.

Figure 8 Vision IRC Collection from 24 May 2018

Curious about something you've read on our blog? Want to learn more? Please reach out. We're more than happy to have a conversation.

Since the fall of AlphaBay and Hansa last July, purchasing goods and services on the darknet has come with great trepidation. A large international law enforcement operation seized servers in multiple countries, de-anonymized vendors and market owners, while simultaneously shattering the confidence of many loyal darknet marketplace consumers and sending a ripple of uncertainty across darknet forums and chatrooms throughout the second half of 2017.

Despite this, darknet vendors still needed to connect with their buyers, and Dream Market, a darknet marketplace since 2014, that one redditor calls the “murica of the DNMs”, quickly rose as the go-to market for drugs and digital services. However, a string of forum and reddit posts pointed to a number of inconsistent vendor PGP signatures and concerted DDoS attack triggering Dream Market to register almost 200 mirrors since last August. This caused many to doubt the sustainability of the Dream Market and whether or not transacting on the darknet was safe and viable anymore.

Many seasoned vendors, such as OxyMonster, have been arrested or disappeared into the shadows while others have used the times of uncertainty to setup standalone vendor shops apart from the consolidated marketplaces. Pushing Taboo is a well known hidden service run by GammaGoblin Universe, supplying psychedelics and psychoactives such as LSD, MDMA, and Tryptamines to the darknet since Silk Road v1.

Figure 1 Source Pushing Taboo on Tor

“If you came here, you must know what these places have in common. Centralized markets sooner or later become seized, hacked or their admins perform exit scams. In both situations neither vendors nor users can get their funds back .…. We’ve decided to allow our dear customers to bypass one of these points of failure and let you to make purchases directly with us via our own hidden service.” 

There are hundreds of vendors like GammaGoblin offering personalized vendor shops outside of centralized marketplaces. With numerous Tor and i2p users coming online everyday, naïve to the significance of the historical market takedowns, new darknet users and consumers still seek a centralized marketplace on the scale of Hansa or AlphaBay to stand up and provide the cooperation and counsel they crave.

Since last November, we have witnessed a surge in new centralized markets across the world. The invite-only / referral market, Liberitas has a simple, clean design with a deep green background with a small selection of drugs and digital offerings for world-wide shipping. It is the first Monero-only marketplace and they offer a reputation history for vendors across other markets to aid purchasers deciding on their personal vendor. Their market announcement on reddit alludes to a “special server setup” ironically mentioning not relying solely on technology to protect the security and anonymity of the market.

Figure 2 Source Liberitas Market

Special server setup (We have gone to great lengths to ensure theanonymity of our server from the technical angle: Our server’s IP addressis very far removed by many many degrees of separation, achieved through the use of specialized hardware configuration, virtualized networks, VPNs, customized TOR squid proxies and other secret techniques - as well as the nontechnical angle: we do not rely solely on technology). 

— Redit Post

A couple of weeks ago, a new marketplace called Rapture appeared with the same look and feel to the former market TradeRoute. The market currently has a referral system and affiliate program to encourage new vendors to offer their goods at this market. At the time of writing the market had over 500 drug-related listings and just over 400 digital goods. The market accepts both Bitcoin and Monero and supports a personal messaging system for private conversations between users of the market, vendors, and administrators.

Figure 3 Source Rapture Market Place

Unfortunately, without purchasing goods on these markets one cannot be completely certain the market is not a scam. UnderMarket appeared in the spring of 2017 and on the surface looks and feels like a legit marketplace with a solid set of vendors (60) and listings (439). UnderMarket appears to cater to the carding community with over a dozen vendors and separate categories just for PayPal and commercial gift cards. Unlike other markets that feature their listings based on category, this market presents the listings by vendors and, like Rapture, offers an internal private communication platform to coordinate orders and ask questions of the vendors. The market also has a separate hidden service dedicated to communicating the market’s status with a vendor listing, providing customers a comprehensive location to read and assess reviews of the vendors that trade at Under Market.

Figure 4 Source Under Market Landing Page

Despite how legitimate UnderMarket appears, darknet forums and many reddit users have unleashed an uproar for months against the market claiming it is a complete scam with fake vendors and users. Many users have placed orders and received bogus tracking numbers and order confirmations from the admin that are never resolved.

Figure 5 Hidden Answers Darknet Forum on Under Market

Since December, various “new markets” have had similar streamlined registration and authenticated logins all to end up with submitting registration information and not being able to access the main market site. Despite multiple registrations, our analysts were unable to successful connect with Berlusconi Market, Train Road, Nucleus, and OpMarket. Either the hidden service is no longer accessible, the captcha fails, or JavaScript would be required . Perhaps these markets are plagued with vulnerabilities and security issues like Bermuda Marketplace for which an OnionLand user zbricktop posted he successfully hacked back November 2017. The market supposedly ran on Windows 10 with overly simplified username-password combinations such as u: testvendor and pass: testvendortestvendor.

Figure 6 Post in the Market Discussion Category of Onion Land on Tor

Other markets, Wall Street and T•chka (Rebranded as Point Marketplace) have had mixed reviews despite their longevity on the darknet. After the DDoS that struck many of the markets in the fall, many users have reported bitcoin withdrawl issues and lack of support from the market admins. Some forum posts have suggested the issues with withdraws is due to the falling price of bitcoin at the new year, while others conspire about possible law enforcement compromise. Wall Street Market was removed from the DNM SuperList on Reddit for having a Clearnet mirror, a lack of understanding of the darknet, and attempted “shilling” over a dozen times with multiple accounts. On T•chka / Point, many vendors have also reported that they are struggling to get enough customers to justify the trouble of being on the marketplace in the first place, insinuating that darkweb market paranoia may be hindering the formation and confidence of new vendor-buyer relationships.

The legacy of the AlphaBay and Hansa marketplaces recently had the darknet community momentarily excited over the prospects that Hansa was returning with the administrators seeking donations to assist with the cost to rebuild the servers and interface. The Hansa Rebuild hidden service with the bitcoin address for donations was only available for a few weeks and at the time of writing is offline. This site like many others is likely a scam preying on the hopes of the former supporters of the Hansa community. The post sounded as though it was the former admins of Hansa speaking, but we know from reports last summer that the two market masterminds from the North Rhine-Westphalia of Germany were arrested prior to the site converting into a law-enforcement run honey pot.

Figure 7 Source http://oidtdhh4mtvsprh6[.]onion (Screen Taken 20 December 2017 offline as of 6 March 2018)

The memory of Canadian Alexandre Cazes, the 27-year old administrator of AlphaBay who allegedly took his own life while detained in Thai Police custody, is positioned to carry on with the founders of the brand-new Empire Market creating a nearly identical replica of the centralized marketplace with the same color scheme and layout as the original AlphaBay’s. The landing page of the hidden service features a footer with the server time on the right, a Copyright tag in the center, and the line “In Memory of Alexandre Cazes” on the left-hand side.

Empire Market’s straightforward user registration included submitting a username, password, pin number, and exactly like AlphaBay’s registration, a personal phrase that is displayed on the main marketplace page to ensure the user is on the legit centralized marketplace and not a phishing clone. Like its AlphaBay predecessor, the market includes features such as two factor authentication (2FA), trust levels, an advanced notification system, a support system, and exif data remover for product images. The market accepts Bitcoin, Litecoin and Monero.

Several vendors are already trading on the marketplace with over 1500 active listings, despite the fact the market only came online in late January 2018. It’s unclear whether the administrators of Empire Market were affiliated with AlphaBay; nevertheless, the market’s forum administrator goes by the name “Sydney.”

This market also allegedly had some security loopholes that reddit-posting hackers caught within weeks of the market’s launch. The redditor, penthat, claimed he was able to successfully access the market’s backend database and uploaded leaked configuration files. He revealed a list of their current users, stated there was no Cross-Site Request Forgery (CSRF) protection for forms related to funds withdrawls, and even managed to access all private communications sent between users. Interestingly, many of the usernames he posted were also on AlphaBay including the moderators and admin’s usernames alpha02 and DeSnake. The moderator, EmpireMarket, put the author of the post on the spot, claiming he did not actually breech the server, but instead merely extracted the usernames by incrementing a number within cleartext URLs in the market. They also opined that each withdrawl form is tokenized to provide CSRF protection despite the author’s claims. The moderator added in a later comment they had patched the possibility of extracting usernames from the URLs. There was no further comment from the so-called hacker, penthat.

Given the transient nature of darknet markets as of late, our analysts will continue to watch whether or the Empire Market strikes back and exit scams its users like many others before them. 

— Reddit user "penthat"

With the ever-increasing uncertainty of darknet marketplaces, it is a mystery why darkweb users continue to flock to a centralized marketplace architecture. Darknet forums have suggested OpenBazaar 2.0, if setup with Tor proxy, may be a viable decentralized solution to darkweb vending. In the spring of 2014, Amir Taaki and a team of developers created the foundational design for OpenBazaar in a proof of concept project called “DarkMarket” at the Bitcoin Hackathon in Toronto, Canada. While Taaki had no intention to pursue development after the conference, developer Brian Hoffman encouraged Taaki to economize and help establish the company, OB1, to work specifically on development of the OpenBazaar protocol. In 2016, Hoffman and Taaki along with their team of developers successfully launched a networked version of the market designed to facilitate a series of 2/3 multi-signature moderated transactions with a wide range of cryptocurrencies. Each step of the transaction is cryptographically signed making the marketplace a highly-secured version of e-commerce websites such as Amazon and e-bay. In November of 2017, further upgrades to the protocol yielded Open Bazaar 2.0 with over 10,000 peer-to-peer nodes. The 2.0 version of the system is a completely new network from OB1 built upon the InterPlanetary File System (IPFS), allowing users to access vendor stores when the owner (host) is offline. Because OpenBazaar is a Clearnet protocol, it is no surprise the top listings are common household purchases such as: food, clothing and books.

Given its decentralized and IPFS architecture, darknet drug and digital goods providers are keen to use OB2 anonymously. In order to use the market anonymously, OpenBazaar supports running the market on top of the Tor proxy for added privacy and security. Some Tor-based vendors have questioned OpenBazaar’s usability with complaints that they regularly miss orders. Unfortunately, there is no technical solution to date, although, OpenBazaar admins attribute the vendor’s complaints to “unsupported operating systems (OS) like Whonix.”OpenBazaar users who are interested in selling or purchasing illegal goods are strongly advised to consider additional security protocols beyond Tor, such as VPNs and thoroughly establish good operational security, e.g. PGP encrypted communications, etc.

Our darknet experts have witnessed a number of darknet drug vendors discussing adding OpenBazaar to their market portfolios. We also regularly check OpenBazaar 2.0, a forthcoming feature of the Darkowl Vision platform, for additional insights into how this new decentralized marketplace can influence and shape the atmosphere and consciousness of the darknet as we know it.

Looking back, it's hard to believe that the Bitcoin breaching the $1,000 benchmark was landmark news just a mere year ago. But, so it was! Here's a look back at 2017 and the key events that took place along the way.

A strong start for cryptocurrency and a hard-hit for Tor Hidden Services

In January 2017, the Bitcoin hit an all-time record high of $1,100 USD despite the fact China’s Central Bank, the People’s Bank of China (PBOC), urged investors to “take a rational and cautious approach to investing in the digital currency.” During the same time, Microsoft added Bitcoin support to its infamously popular Excel spreadsheet program to allow users to track, calculate, and analyze Bitcoin data.

In February,hacker-group Anonymous targeted Tor service provider Freedom Hosting II, taking over 10,000 hidden services offline. Anonymous stated they hacked the web hosting provider for harboring and assisting in publishing illicit child content on over 5,000 of their services. Hackers dumped 74GB of files and 2.3GB of database content as well as the private keys of every site hit. This was the second time Anonymous targeted Freedom Hosting.

March and April brought to light numerous major commercial data breaches, often compromised through a cocktail of SQL injection techniques. Thousands of records including leaked personal identifiable information appeared for sale across darknet markets and DarkOwl successfully harvested much of the data into its DarkOwl Vision engine to cross reference for customer queries. Major databases include Sony Playstation, Yahoo, LinkedIn, among others totaling millions of account data records.

WikiLeaks took the spotlight of the spring for “leaks” when it began sharing classified documents from the CIA called Vault 7. The first part of the series, called “Year Zero” documents the scope and direction of the CIA’s global covert hacking program and revealed how the CIA uses sophisticated zero-day exploits to spy on its enemies both domestic and abroad. Hackers across the darknet gained tremendous knowledge from the source code and documentation that accompanied this breach.

In May, the WannaCry Ransomware hit more than 300,000 computers across at least 150 countries, crippling the UK National Health Service (NHS) impacting patient care in 16 hospitals. Two days after the WannaCry ransomware outbreak, French police seized a server running two Tor relays belonging to French activist Aeris, who said the server was confiscated in connection to the WannaCry attacks. The activist pointed out on his Twitter feed that tens of other Tor nodes in France all disappeared during the same time.

WannaCry Ransomware Instructions

The attack was stopped by a young cybersecurity researcher, Marcus Hutchins who was arrested later in the year in Las Vegas after attending the international BlackHat & DefCon conference. US police charged the hacker, who used the moniker "MalwareTech," for allegedly creating the Kronos virus that aimed to steal peoples' banking details online. He could face up to 40 years in prison if found guilty.

At the same time the world was trying to figure out what ransomware was and how to prevent themselves from becoming WannaCry’s next victim, authorities sentenced Steven Chase, the administrator for popular darknet child predator forum, PlayPen, to 30 years in prison and arrested over 800 forum affiliates across the globe.

Darknet markets are seized and cryptocurrency markets respond

Seizure Sites for Hansa and AlphaBay Darknet Markets

In the start of summer in June, cryptocurrency holders were enthusiastic to see the price of bitcoin hit $3,000 USD. In July, a joint international law enforcement effort, dubbed Operation Bayonet, shook the foundation of the darknet when authorities arrested Alex Cazes the creator and administrator of AlphaBay. The disruption of what was at the time the largest ever darknet market time sent thousands of AlphaBay darknet market vendors and buyers to Hansa market, which was simultaneously functioning as a honeypot by the Dutch Police, as we found out when the moderators were also arrested in June. Cazes was found dead in his Thailand jail cell days after the arrest, allegedly opting to take his own life rather than face international cyber criminal prosecution.

The subsequent panic that flooded the darknet when AlphaBay and Hansa came down still pervades the darknet today. Many redditors and users of darknet forums were found asking, “where can I find my vendor?” or “what darknet market can I trust?” … Dream Market was believed to be the only safe market to transact with, until rumors of their compromise began circulating as well.

Paranoia about Dream Market Survival

With the demise of AlphaBay and Hansa, TradeRoute experienced a surge in listings and transactions, until security issues soon began plaguing the popular marketplace. In August, a hacker known only as HugBunter claimed to have breached the market and supposedly blackmailed TradeRoute administrators for weeks, bringing into further question the security of any darknet market.

Throughout this time, DarkOwl witnessed a drop in user relay activity reported by the Tor Project and an increase appearance in vendor-specific hidden services.

HugBunter's post regarding TradeRoute Hack

Wolf Creek Nuclear Operating Station, Burlington, Kansas

At the same time that darknet marketplaces were falling and panic was permeating the darknet, hackers breached a network of a US-based energy utilities.

Wolf Creek Nuclear Power Station in Burlington, Kansas was the first power facility to have their networks compromised. Luckily, the administrative network which was hacked was separate from networks controlling the plant operation. Rules enforced by the Nuclear Regulatory Commission require “air gaps,” i.e. the controls of a plant do not connect by hardwire or antenna to outside systems or the internet, to prevent impact to US power infrastructure. It was shortly after this DarkOwl launched their research and the Utilities Index, evaluating the darknet footprint of major US energy utilities.

In the fall, even more data breaches surfaced on the darknet. OurMine and HBO had a full-on cyber war over the release of several episodes of HBO’s popular, Game of Thrones (GoT). Equifax was hacked, compromising 143 million American credit reports. Data from the Equifax breach has yet to appear legitimately for sale on the darknet, despite attempts by one group who call themselves Equihax0r. The popular darknet hacking forum Ex0du$ mysteriously disappeared, and TradeRoute shut down completely.

In October, the price of bitcoin rose slightly to $4,288 USD, while a Norwegian newspaper broke that the largest child abuse and illicit child content forum on the darknet, Child’s Play, had been seized by authorities. To execute the operation, dubbed Operation Artemis, Australian authorities ran the hidden service as a honeypot for over 11 months to trap child abusers. It remains the largest operation of its kind, and arrests are still ongoing for staff and members of the site. Child’s Play had over a million registered accounts and thousands of active users during the operation.

The remaining darknet markets saw an intensive distributed denial of service (DDoS) attack against them resulting in Dream Market registering hundreds of Tor mirror sites to avoid shutdown. The darknet’s most popular social media site Galaxy 2 crashed after poor system administration in October.

On Thanksgiving in the US, we witnessed the public hack and exposure of the Facebook of Tor, Blackbook. Their 15,000+ membership account details were subsequently posted on public pastebin sites across the clearnet, and on several darknet sites as well. A hacker known as bRpsd took credit for the breach, claiming they exploited vulnerabilities with the hidden service’s SQL databases. The resulting doxxed data revealed that an extraordinary number of Blackbook members used popular email providers, such as Gmail, Yahoo or Hotmail for their account registration.

Holiday conversations focused around the price of bitcoin’s rapid surge in November, as many families learned what a cryptocurrency is. Hackers and legitimate website administrators turned to using JavaScript-based cryptocurrency miners to leverage the CPU power of their site visitor's PC to mine Bitcoin or other cryptocurrencies, known as cryptojacking. Malware experts revealed these scripts work well after you visited the website and even after closing the browser.

By the 16th of December the price of Bitcoin was in excess of $19,000.

All was quiet in the darknet until the FCC’s reformation of net neutrality passed only the week before Christmas, leaving many astounded.

To end the year, Police arrested and sentenced multiple drug vendors from Dream Market and Agora. It was reported that police seized servers from the Russian marketplace Hydra, though the Russian administrators denied any police activity on their official Telegram channel, instead attributing any disruption in service to an alleged DDoS attack that had been perpetrated on their servers.

“Dear friends, guests and long-time Hydra users! We have just stopped all the timers. The decision to take this measure is connected with an unstable work of the market caused by DDoS attacks. Pre Orders, orders, disputes, rent payment are temporarily frozen. No need to worry. The situation is under control. Please, wait till the server operation is fully restored.”

— @hydraoniondeep

As 2018 continues, we anticipate that the darknet as we know it will continue to be a place of uncertainty and volatility with attempts to de-anonymize users through traditional browser vulnerabilities, creative traffic, and timing correlation techniques. A resurrection of previous darknet markets will be promoted and new darknet markets will emerge as they have time and time again post previous market seizures.

It is likely that Tor will continue to increase in popularity, especially with what we predict will be an increasing number of net neutrality activists and refugees. We predict that Tor’s increasing popularity will drive many to other darknets such as I2P and ZeroNet, both of which also saw a significant increase in usage throughout 2017.

Curious about something you've read on our blog? Want to learn more? Please reach out. We're more than happy to have a conversation.